BCBS Montana data breach affecting up to 462,000 may reach court

Blue Cross Blue Shield of Montana has asked a Helena district court to halt an administrative investigation by Montana State Auditor James Brown into a data breach tied to third‑party vendor Conduent that may have exposed the personal and medical information of up to 462,000 members. The move brings the dispute over notification timing, regulatory authority and consumer protections to Lewis and Clark County’s courthouse.

The cyber incident was reported to have taken place between October 2024 and January 2025. BCBSMT says it first learned of the incident in January 2025 but did not determine that Montana customers were likely affected until about eight months later. The company reported the matter to the auditor’s office in October 2025, prompting James Brown to open an administrative investigation into whether state breach‑notification law was violated.

BCBSMT, which operates under the Health Care Service Corporation umbrella, argues the auditor lacks authority to investigate because the statute the office cites “didn’t apply to Blue Cross Blue Shield at the time of the breach” and the insurer was “instead covered under a federal law.” In court papers and oral argument, a lawyer for the insurer urged a preliminary injunction, saying “Continuing with a public investigation … would cause irreparable harm to the corporation and create a legal knot that the courts would later have to untangle.”

State regulators have pushed back. Jack Connors, chief legal counsel for the insurance commissioner’s office, told the court that because BCBSMT first notified the auditor after the state law took effect, the company’s actions were “fair game to investigate.” Connors added, “They are trying to stop our investigation and the results of our investigation are going to be a document we are going to put out for the public to read.” He warned that if an injunction were granted, “past, present and future Blue Cross Blue Shield customers would be denied information they’re entitled to when making decisions about their health care and personal privacy.”

Conduent, a New Jersey‑based vendor used for BCBSMT back‑office work, is identified as the source of the leak in reporting but is not a subject of the auditor’s probe. BCBSMT has declined to comment on ongoing litigation.

For Lewis and Clark County residents and policyholders across Montana, the case raises concrete questions: when were affected members notified, what specific data elements were exposed, and whether state regulators can compel public findings and possible penalties. The auditor’s office has said it could seek fines of up to $25,000 per customer if wrongdoing is identified.

Procedural steps are now in the courts in Helena; attorneys met with witnesses in Lewis and Clark County District Court before Judge Christopher Abbott on Jan. 28, 2026, and further hearings and filings are expected. The outcome will determine whether the auditor proceeds with a public accounting of the breach and, ultimately, what information Montanans receive about risks to their health records and privacy.